05:26 PM
Connect Directly
Repost This

Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft

Automated attack bypasses two-factor authentication

A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone.

Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS, for example.

"What we've seen in the last three months is significantly more advanced and the automation of bypassing two-factor authentication and perpetuating a man-in-the-browser attack," says Tom Kellermann, vice president of cybersecurity for Trend Micro. "It also has the capacity to move funds out of the [victim's] account so that the criminal doesn't have to sit there and wait or wait for communication from his bot. It's totally automated."

Kellermann says the fact that the bad guys have written such advanced tools to target the harder-to-crack European banking isn't "good tidings" for the U.S. "This could easily work on American [online banking systems]," which are not as stringent as European ones, he notes.

And with the ability to withdraw funds automatically, the attackers don't even need to use a money mule to transfer the funds unless they want to, he says. The malware targets Windows machines.

These types of attacks, however, are not new, says Amit Klein, CTO at Trusteer. "The concept is not new," he says. "We have seen this before, but not necessarily the framework" that Trend Micro has studied here, he says.

In one SpyEye attack Trusteer witnessed last fall against a Spanish bank, attackers waged a man-in-the-browser attack and put up a phony login page to bypass dual-factor authentication. Once the bank customer logged into his bank's website, the attacker pushed him a message about an "upgraded security system."

"The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears off into the sunset," Klein described in a blog post last fall.

Klein says the trouble with these types of attacks is that once the user's machine is infected, it's game over. "There are a lot of inherent assumptions in online banking. You assume that you can trust the browser and the user's machine to carry out the user's online activities," he says. But all of that goes out the window when man-in-the-browser malware gets injected into the picture, and typically unbeknown to the victim, he says.

[ The prolific Zeus Trojan has a new role: as a tool for breaking into online corporate payroll systems. See Zeus Trojan Targets Online Payroll Services Providers. ]

Trend Micro researchers found that while traditional man-in-the-browser attacks for online banking fraud use WebInject files to push pop-ups to victims that then steal their online credentials, the new ATS module for Zeus and SpyEye operates in the background and isn't visible. It conducts a wire transfer of the victim's stolen funds without alerting the victim at all.

It hides out and doesn't leave any trace that the malware or attacker was there in the account; as long as the user's machine is infected with the module, he won't see any of the fraudulent transactions in his account.

"We're going to see a huge spike in this commoditized attack code for man-in-the browser because ... it does everything for [the attacker]," Kellermann says. "You [the victim] don't see anything: When money is moved out of your account, you don't see it. You only see your transactions ... It's elegant."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web